In recent years, China has in quick succession introduced various legislations in the areas of data and personal information protection. At the same time, Chinese authorities have been seen to take wide ranging enforcement actions against corporations and individuals falling foul of the law, ranging from administrative inspections and targeted campaigns by administrative authorities, to criminal investigations by the police. According to publicly reported court judgements in China in the period of 2018 to 2020, there were more than 200 civil dispute cases of alleged personal information related infringement claims, and over 2,900 criminal cases involving abuse of personal information.
With the introduction of the new Data Security Law (effective from 1 September 2021) and the Personal Information Protection Law (PIPL) (to come into effect on 1 November 2021), companies doing business in China may face more intense scrutiny on how business related and personal data are handled when conducting internal investigations in China.
What are the challenges posed to an investigation by personal data related issues?
The prolific use of online communications technology and the availability of multiple social messaging apps across the globe has raised significant challenges to companies on how their employees are conducting business and work related communications. This in turn poses both systems control, regulatory compliance, and practical concerns as to the monitoring and collection of business related data, and the extent to which personal data becomes intermingled with the same. Consequently, companies have met various obstacles in finding and securing important evidence while ensuring the investigation process and data collection measures are consistent with the constantly evolving laws and regulations in Mainland China. Typical scenarios include:
- Prevalent use of non-company issued devices for work related communications and business: Although communication records, emails and documentation for work related purposes are generally considered as company property, accessing such information that is stored electronically on non-company issued devices (laptops, mobile handsets, etc.) without the employee’s consent may be deemed by Chinese courts and regulators as infringing on the employee’s personal rights and interests residing in any personal information contained in these devices.
- Use of social messaging platforms with personal accounts for business and work purposes: Employees’ communications on personal accounts set up on social messaging platforms (such as WeChat, QQ and WhatsApp, etc.) via company issued or personal devices are not accessible to employers without the employees’ consent. Some social messaging platforms, such as WeChat, also allow users to make payments or send documents to others, which records are also not accessible to employers without employee’s consent. Hence, getting access to this data will be very difficult and employees usually object to the same on data privacy grounds. Nonetheless, corporates continue to allow their employees to conduct business related communications and to transfer business related documents via such personal accounts.
- Use of company-issued devices with dual SIM functions: As most new mobile phones now allow users to simultaneously use two SIM cards (i.e., two telephone numbers), employees often use both a company-issued SIM card and a personal SIM card in the same company-issued mobile phone. This creates some difficulty as to which SIM card has been used to conduct business related communications and store business relate data. It is also clear that an employer will not be able to access and review data contained in the employee’s personal SIM card without the card holder’s consent, even if the subject data is worked related.
- Access to email servers within and outside of mainland China: Multinational companies often have email servers sitting both inside and outside of China to serve their business operations in China. Chinese law however may have certain cross-border transfer restrictions on a company trying to access and review such email server data as part of an internal investigation. Accessing email servers located in Mainland China without first adopting adequate data protection measures and obtaining relevant employees / stakeholders’ specific consent may also violate certain data protection provisions under Chinese law. For example, under the new PIPL, access to email servers located outside Mainland China may also be subject to the same cross-border data transfer restrictions as long as the purpose is to “assess or analyze the conduct of individuals in China.”
- Workplace monitoring: Certain personal information protection considerations may arise when an employer conducts monitoring of business communications and data flow such as for the prevention of data breach incidents and gathering of evidence for an investigation. It should be noted that Chinese law generally prohibits the conduct of monitoring without express consent, such as utilizing monitoring software on company-issued mobile phones or computers, recording employees’ telephone conversations, or tracking employees’ locations.
How can companies manage the handling of business related and personal data without jeopardizing an investigation?
- Obtain written consent from the relevant individuals if possible – Collection and handling of personal data (as well as business related data/communications intermingled with personal data) as part of an investigation without an individual employee’s consent may result in the affected employee bringing a lawsuit against the company or file complaints to various local authorities.
- Involve local IT and legal teams to handle the locally stored server data: Ensuring that data stored and backed up to local servers are handled by the local entity’s local IT and legal teams based in China, instead of individuals based outside of China. This will help to avoid creating potential cross-border transfer issues.
- Redact personal data before cross-border transfer: Making redactions on any personal data identified during the investigation before sending relevant materials / data to any reviewers outside of China.
What can companies do to reduce these risks and challenges in advance of any investigation?
A number of proactive steps can also be taken well in advance of any investigation:
- Establishing internal policies to require employees to only use company issued devices for work related communications and business.
- At the employee on-boarding stage, have the employee agreeing to privacy and use of data notices and consents with sufficient scope to cover the collection, process, review and transfer of data for the purposes of investigations.
- Provide training to the IT and legal teams regarding the relevant personal data protection laws in China.
- Consider setting up corporate accounts on social messaging platforms such as WeChat and mandating the use of the same for business and work related communications instead of use of personal accounts.